I have imported the config of an existing 7080 (PANOS 8.1.13) into a new expedition project to see if i can analyze duplicate objects that can be potentially removed.
I'm not seeing what I expected though. In expedition there shows no Address Objects, Address Groups, Security Policies, very few Services (only 3) , but seems to have all the zones.
I also see for Address objets some "ghost" objects...my understanding was that you would see ghosts objedts when you migrated from a different vendor config file, but these were originally greenfield FW's when my client built them.
Full disclosure, I am importing the config that was exported from the FW, and the FW is managed by Panorama, so maybe that has something to do with it? But I would figure all the config info would have to be in the running config .xml (created a snap shot, and then exported).
My original concern in trying to find duplicate objects/etc is that my Panorama config is 12.9 meg, it's only managing 2 FW pairs...one pair has a config that is 1.2meg and the other pair has config that is 600k...not sure how the Panorama config got to be so huge.
Thank you for any insight.
I think this is the answer to your question. If you are having your Panorama manage your firewalls through templates then your firewall has almost no configuration within it. So if you import that firewall configuration into expedition you will see little to nothing since most of the policy management and updates are coming from Panorama. You will need to look at your firewall and what configuration it actually has in it versus what Panorama has and pushes to that firewall.
So if you do that and realize that Panorama has all of the configuration information then you can work with that. I hope that explanation was able to answer your question.
Ok, that does make sense. So if I am seeing those few objects in the FW config, then those are resident on the FW...not in the Panorama Templates/DGs and i may run into issues ?
Can anyone speak about the "ghost" objects I'm seeing?
No you shouldn't run into issues if there is some type of overlap between the firewall and panorama when you "merge" the configs those might become ghost objects. I believe when you have Panorama you would like that be become the overall management of your firewall in all aspects so the goal is always to push everything from Panorama and what isn't being pushed by Panorama you would want to migrate those firewall configs into Panorama to accomplish this.
More information on ghost objects in this post and how to manage them.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!